President Obama called for the Cybersecurity Framework in his Improving Critical Infrastructure Cybersecurity Executive Order. In accordance with the Executive Order, the Secretary of Commerce has directed the Director of NIST to lead the development of a framework to reduce cyber risks to critical infrastructure, such as power plants and financial, transportation and communications systems. NIST will issue a Request for Information from critical infrastructure owners and operators, federal agencies, state, local, territorial and tribal governments, standards-setting organizations, other members of industry, consumers, solution providers and other stakeholders.
NIST will use the input gathered to identify existing consensus standards, practices and procedures that have been effective and that can be adopted by industry to protect its digital information and infrastructure from the full range of cybersecurity threats. The framework will not dictate "one-size-fits-all" solutions, but will instead enable innovation by providing guidance that is technology neutral and recognizes the different needs and challenges within and among critical infrastructure sectors.
"The Commerce Department has a critical role to play in helping American businesses address their cybersecurity issues and risks," said Deputy Secretary of Commerce Rebecca Blank. "As we move forward with the Cybersecurity Framework, NIST will be collecting input from a wide variety of stakeholders to come up with an effective set of voluntary standards that will safeguard our nation's most critical infrastructure from cybersecurity threats. Protecting our businesses and systems from attacks, while also ensuring that new voluntary standards allow the flexibility for innovation, is crucial to ensuring our economy can continue to grow."
In the official Request for Information, which will be published in the Federal Register, NIST will ask organizations to share their current risk management practices; use of frameworks, standards, guidelines and best practices; and other industry practices. NIST plans to hold workshops over the next several months to collect additional input and will complete the framework within one year.
"The process for developing the framework reflects a core component of NIST's work, bringing together various stakeholders to address a technical challenge," said Under Secretary of Commerce for Standards and Technology and NIST Director Patrick Gallagher. "By collaborating with industry to develop the framework, we will better protect our nation from the cybersecurity threat while enhancing America's ability to innovate and compete in a global market."
The RFI will request additional information on a number of core practices NIST views as applicable across industry, for example:
Encryption and key management--With multiple encryption tools in use at any given organization, how does one protect, store and organize encryption keys?
Asset identification and management--How does an organization determine which assets need protection and their value?
Security engineering practices--How does an organization design its systems to meet security needs?
The framework will consist of a roadmap and structure for future efforts, including a recommended process for how the standards within each sector will be reviewed by each stakeholder community. NIST will continue to revise and update the framework to meet changing business and security needs.
It will include metrics, methods and procedures that can be used to continuously assess and monitor the effectiveness of deployed security controls as well as the effectiveness of framework standards, guidelines and best practices. The framework will provide a menu of management, operational and technical security controls, including policies and processes; and will lay a foundation for the development of effective conformity assessment based on NIST's guidelines.
More information on the Cybersecurity Framework can be found at www.nist.gov/itl/cyberframework.cfm.
More information on the President's Improving Critical Infrastructure Executive Order can be found at: http://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity.
As a non-regulatory agency of the U.S. Department of Commerce, NIST promotes U.S. innovation and industrial competitiveness by advancing measurement science, standards and technology in ways that enhance economic security and improve our quality of life.